test.mysmartlogon.com

 Home
2020-08-25
2020-09-25
2020-10-25
2020-11-25
2020-12-25
2021-01-25
2021-02-25
PointsLevelCategoryModelRiskIdRationaleLastAppearance
602PrivilegedAccountsPrivilegeControlP-PrivilegeEveryoneNumber of privileges granted by GPO to any user: 42020-11-25
601AnomaliesPasswordRetrievalA-PwdGPONumber of password(s) found in GPO: 32020-12-25
501TrustsSIDFilteringT-SIDFilteringNumber of trusts without SID Filtering: 12020-10-25
503TrustsSIDHistoryT-SIDHistorySameDomainAccount(s) with SID History matching the domain = 22020-12-25
451PrivilegedAccountsACLCheckP-LoginDCEveryoneAnyone can interactively or remotely login to a DC2021-01-25
302PrivilegedAccountsDelegationCheckP-DelegationEveryonePresence of delegation where anybody can act: 22020-11-25
302PrivilegedAccountsACLCheckP-DelegationLoginScriptNumber of login scripts that can be modified by any user: 22021-01-25
251PrivilegedAccountsDelegationCheckP-DelegationDCa2d2Number of DC with a contrained delegation: 12020-10-25
203PrivilegedAccountsAccountTakeOverP-DelegatedPresence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 82020-08-25
202AnomaliesGoldenTicketA-KrbtgtLast change of the Kerberos password: 533 day(s) ago2020-08-25
152PrivilegedAccountsACLCheckP-RecoveryModeUnprotectedAt least one GPO grant the right to get in the recovery mode without being admin2020-09-25
153StaleObjectsObjectConfigS-SIDHistory1 domain(s) used in SIDHistory2020-12-25
154PrivilegedAccountsDelegationCheckP-UnkownDelegationPresence of unknown account in delegation: 12020-10-25
153AnomaliesBackupA-BackupMetadataLast AD backup has been performed 3096 day(s) ago2020-08-25
102AnomaliesReconnaissanceA-NullSessionNumber of DC(s) with NULL SESSION enabled: 12021-01-25
101StaleObjectsProvisioningS-DCRegistrationNumber of DC with a configuration issue: 12020-09-25
103PrivilegedAccountsACLCheckP-DCOwner1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group2020-10-25
103StaleObjectsProvisioningS-ADRegistrationNon-admin users can add up to 10 computer(s) to a domain2020-12-25
103AnomaliesAuditA-AuditDCThe audit policy on domain controllers does not collect key events.2020-09-25
103StaleObjectsOldAuthenticationProtocolsS-SMB-v1SMB v1 activated on 1 DC2020-10-25
53AnomaliesNetworkSniffingA-LDAPSigningDisabledAt least one GPO disables explicitly LDAP client signature2021-01-25
52AnomaliesReconnaissanceA-PreWin2000AnonymousThe group Everyone and/or Anonymous is present in the Pre-Windows 2000 group.2020-09-25
52StaleObjectsObsoleteOSS-OS-2008Presence of Windows 2008 = 12020-09-25
12StaleObjectsObjectConfigS-PwdNeverExpiresNumber of accounts which has never-expiring passwords: 42020-11-25
PointsLevelCategoryModelRiskIdRationaleLastAppearance
DateMaturityGlobal scoreTotal scoreAnomaliesPrivileged AccountsStale ObjectsTrusts
2020-08-25110076618436097125
2020-09-25110071114934097125
2020-10-25110066613432582125
2020-11-2511005561342757275
2020-12-2511004601341856675
2021-01-251100325741854125
2021-02-251100240591104625
DateMaturityGlobal scoreTotal scoreAnomaliesPrivileged AccountsStale ObjectsTrusts
LevelCategoryModelRiskIdRationale2021-02-252021-01-252020-12-252020-11-252020-10-252020-09-252020-08-25
3AnomaliesAuditA-AuditDCThe audit policy on domain controllers does not collect key events.1010
3AnomaliesAuditA-AuditPowershellThe powershell audit configuration is not fully enabled.0000000
3AnomaliesBackupA-BackupMetadataLast AD backup has been performed 3096 day(s) ago15
3AnomaliesCertificateTakeOverA-DCLdapsProtocolAt least one DC uses a weak SSL protocol for server side purposes.10101010101010
2AnomaliesGoldenTicketA-KrbtgtLast change of the Kerberos password: 533 day(s) ago20
3AnomaliesNetworkSniffingA-LDAPSigningDisabledAt least one GPO disables explicitly LDAP client signature555555
1AnomaliesNetworkSniffingA-LMHashAuthorizedAt least one policy has been found where the LM hash can be used [1]5555555
2AnomaliesWeakPasswordA-MinPwdLenPolicy where the password length is less than 8 characters: 210101010101010
4AnomaliesReconnaissanceA-NoNetSessionHardeningNo GPO has been found which implements NetCease0000000
4AnomaliesWeakPasswordA-NoServicePolicyNo password policy for service account found (MinimumPasswordLength>=20)0000000
2AnomaliesReconnaissanceA-NullSessionNumber of DC(s) with NULL SESSION enabled: 1101010101010
2AnomaliesReconnaissanceA-PreWin2000AnonymousThe group Everyone and/or Anonymous is present in the Pre-Windows 2000 group.55
3AnomaliesReconnaissanceA-PreWin2000OtherAt least one user, computer or group has been added as a member to the PreWin2000 compatible group2222222
3AnomaliesPassTheCredentialA-ProtectedUsersThe Protected Users group doesn't exist on the domain.0000000
1AnomaliesPasswordRetrievalA-PwdGPONumber of password(s) found in GPO: 36060606060
3AnomaliesCertificateTakeOverA-SHA1IntermediateCertAt least one trusted INTERMEDIATE certificate found has a SHA1 signature [6]1111111
3AnomaliesCertificateTakeOverA-SHA1RootCertAt least one trusted ROOT certificate found has a SHA1 signature [11]0000000
3AnomaliesPassTheCredentialA-SmartCardRequiredNumber of account(s) using a smart card whose password is not changed: 130303030303030
3AnomaliesPasswordRetrievalA-UnixPwdAt least one user has an attribute set which is known to potentially contains a password0000000
3AnomaliesCertificateTakeOverA-WeakRSARootCert2At least one trusted certificate found has a relatively weak RSA key [4]1111111
1PrivilegedAccountsAccountTakeOverP-AdminPwdTooOldNumber of admin with a password older than 3 years: 510101010101010
1PrivilegedAccountsControlPathP-ControlPathIndirectEveryoneEveryone can take control of a key domain object by abusing targeted permissions.25252525252525
3PrivilegedAccountsACLCheckP-DCOwner1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group101010
3PrivilegedAccountsAccountTakeOverP-DelegatedPresence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 820
1PrivilegedAccountsDelegationCheckP-DelegationDCa2d2Number of DC with a contrained delegation: 1252525
2PrivilegedAccountsDelegationCheckP-DelegationEveryonePresence of delegation where anybody can act: 230303030
2PrivilegedAccountsACLCheckP-DelegationGPODataNumber of GPO items that can be modified by any user: 345454545454545
2PrivilegedAccountsACLCheckP-DelegationLoginScriptNumber of login scripts that can be modified by any user: 2303030303030
4PrivilegedAccountsACLCheckP-DNSAdminNumber of members of the Dns Admins group: 15555555
1PrivilegedAccountsAccountTakeOverP-KerberoastingAt least one member of an admin group is vulnerable to the kerberoast attack.5555555
1PrivilegedAccountsACLCheckP-LoginDCEveryoneAnyone can interactively or remotely login to a DC454545454545
3PrivilegedAccountsAdminControlP-OperatorsEmpty1 operator group(s) are not empty0000000
2PrivilegedAccountsPrivilegeControlP-PrivilegeEveryoneNumber of privileges granted by GPO to any user: 460606060
2PrivilegedAccountsACLCheckP-RecoveryModeUnprotectedAt least one GPO grant the right to get in the recovery mode without being admin1515
3PrivilegedAccountsRODCP-RODCAllowedGroupThe Allowed RODC Password Replication Group group is not empty5555555
3PrivilegedAccountsRODCP-RODCDeniedGroupThe Denied RODC Password Replication Group group has some of its default members missing5555555
3PrivilegedAccountsIrreversibleChangeP-SchemaAdminThe group Schema Admins is not empty: 2 account(s)10101010101010
4PrivilegedAccountsDelegationCheckP-UnkownDelegationPresence of unknown account in delegation: 1151515
3StaleObjectsProvisioningS-ADRegistrationNon-admin users can add up to 10 computer(s) to a domain1010101010
3StaleObjectsObjectConfigS-C-PrimaryGroupPresence of wrong primary group for computers: 115151515151515
1StaleObjectsObsoleteOSS-DC-2008Presence of Windows 2008 as DC = 15555555
1StaleObjectsInactiveUserOrComputerS-DC-InactiveNumber of DC inactive: 155555
1StaleObjectsVulnerabilityManagementS-DC-NotUpdatedNumber of DC not updated = 115151515151515
1StaleObjectsProvisioningS-DCRegistrationNumber of DC with a configuration issue: 11010
3TrustsSIDHistoryS-Domain$$$The SIDHistory auditing group is present: SID History creation is enabled5555555
1StaleObjectsObjectConfigS-NoPreAuthAdminNumber of admin accounts which do not require kerberos pre-authentication: 15555555
2StaleObjectsObsoleteOSS-OS-2008Presence of Windows 2008 = 155
2StaleObjectsObsoleteOSS-OS-Win7Presence of Windows 7 = 11111111
2StaleObjectsObjectConfigS-PwdNeverExpiresNumber of accounts which has never-expiring passwords: 41111
3StaleObjectsObjectConfigS-SIDHistory1 domain(s) used in SIDHistory1515151515
3StaleObjectsOldAuthenticationProtocolsS-SMB-v1SMB v1 activated on 1 DC101010
2TrustsTrustInactiveT-InactiveAt least one inactive trust has been found: 220202020202020
1TrustsSIDFilteringT-SIDFilteringNumber of trusts without SID Filtering: 1505050
3TrustsSIDHistoryT-SIDHistorySameDomainAccount(s) with SID History matching the domain = 25050505050
LevelCategoryModelRiskIdRationale2021-02-252021-01-252020-12-252020-11-252020-10-252020-09-252020-08-25
NameValue
PingCastle version2.9.0.0 Beta
Generated onmardi 25 août 2020
Report age1293 day(s)
Domain maturity1
Domain modeWindows2008R2
Forest modeWindows2008R2
Total score766 point(s)
The worst score out of the four items
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories

Risk rules resolved

Name
No data available to display.

New risk rules triggered

Name
No data available to display.
PointsLevelCategoryModelRiskIdRationale
602PrivilegedAccountsPrivilegeControlP-PrivilegeEveryoneNumber of privileges granted by GPO to any user: 4
601AnomaliesPasswordRetrievalA-PwdGPONumber of password(s) found in GPO: 3
501TrustsSIDFilteringT-SIDFilteringNumber of trusts without SID Filtering: 1
503TrustsSIDHistoryT-SIDHistorySameDomainAccount(s) with SID History matching the domain = 2
452PrivilegedAccountsACLCheckP-DelegationGPODataNumber of GPO items that can be modified by any user: 3
451PrivilegedAccountsACLCheckP-LoginDCEveryoneAnyone can interactively or remotely login to a DC
302PrivilegedAccountsDelegationCheckP-DelegationEveryonePresence of delegation where anybody can act: 2
303AnomaliesPassTheCredentialA-SmartCardRequiredNumber of account(s) using a smart card whose password is not changed: 1
302PrivilegedAccountsACLCheckP-DelegationLoginScriptNumber of login scripts that can be modified by any user: 2
251PrivilegedAccountsDelegationCheckP-DelegationDCa2d2Number of DC with a contrained delegation: 1
251PrivilegedAccountsControlPathP-ControlPathIndirectEveryoneEveryone can take control of a key domain object by abusing targeted permissions.
203PrivilegedAccountsAccountTakeOverP-DelegatedPresence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 8
202TrustsTrustInactiveT-InactiveAt least one inactive trust has been found: 2
202AnomaliesGoldenTicketA-KrbtgtLast change of the Kerberos password: 533 day(s) ago
152PrivilegedAccountsACLCheckP-RecoveryModeUnprotectedAt least one GPO grant the right to get in the recovery mode without being admin
153StaleObjectsObjectConfigS-C-PrimaryGroupPresence of wrong primary group for computers: 1
153StaleObjectsObjectConfigS-SIDHistory1 domain(s) used in SIDHistory
151StaleObjectsVulnerabilityManagementS-DC-NotUpdatedNumber of DC not updated = 1
154PrivilegedAccountsDelegationCheckP-UnkownDelegationPresence of unknown account in delegation: 1
153AnomaliesBackupA-BackupMetadataLast AD backup has been performed 3096 day(s) ago
102AnomaliesReconnaissanceA-NullSessionNumber of DC(s) with NULL SESSION enabled: 1
102AnomaliesWeakPasswordA-MinPwdLenPolicy where the password length is less than 8 characters: 2
101PrivilegedAccountsAccountTakeOverP-AdminPwdTooOldNumber of admin with a password older than 3 years: 5
101StaleObjectsProvisioningS-DCRegistrationNumber of DC with a configuration issue: 1
103PrivilegedAccountsACLCheckP-DCOwner1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group
103AnomaliesCertificateTakeOverA-DCLdapsProtocolAt least one DC uses a weak SSL protocol for server side purposes.
103PrivilegedAccountsIrreversibleChangeP-SchemaAdminThe group Schema Admins is not empty: 2 account(s)
103StaleObjectsProvisioningS-ADRegistrationNon-admin users can add up to 10 computer(s) to a domain
103AnomaliesAuditA-AuditDCThe audit policy on domain controllers does not collect key events.
103StaleObjectsOldAuthenticationProtocolsS-SMB-v1SMB v1 activated on 1 DC
53AnomaliesNetworkSniffingA-LDAPSigningDisabledAt least one GPO disables explicitly LDAP client signature
54PrivilegedAccountsACLCheckP-DNSAdminNumber of members of the Dns Admins group: 1
51PrivilegedAccountsAccountTakeOverP-KerberoastingAt least one member of an admin group is vulnerable to the kerberoast attack.
52AnomaliesReconnaissanceA-PreWin2000AnonymousThe group Everyone and/or Anonymous is present in the Pre-Windows 2000 group.
53PrivilegedAccountsRODCP-RODCAllowedGroupThe Allowed RODC Password Replication Group group is not empty
53PrivilegedAccountsRODCP-RODCDeniedGroupThe Denied RODC Password Replication Group group has some of its default members missing
51StaleObjectsObsoleteOSS-DC-2008Presence of Windows 2008 as DC = 1
51AnomaliesNetworkSniffingA-LMHashAuthorizedAt least one policy has been found where the LM hash can be used [1]
51StaleObjectsObjectConfigS-NoPreAuthAdminNumber of admin accounts which do not require kerberos pre-authentication: 1
52StaleObjectsObsoleteOSS-OS-2008Presence of Windows 2008 = 1
51StaleObjectsInactiveUserOrComputerS-DC-InactiveNumber of DC inactive: 1
53TrustsSIDHistoryS-Domain$$$The SIDHistory auditing group is present: SID History creation is enabled
23AnomaliesReconnaissanceA-PreWin2000OtherAt least one user, computer or group has been added as a member to the PreWin2000 compatible group
13AnomaliesCertificateTakeOverA-WeakRSARootCert2At least one trusted certificate found has a relatively weak RSA key [4]
13AnomaliesCertificateTakeOverA-SHA1IntermediateCertAt least one trusted INTERMEDIATE certificate found has a SHA1 signature [6]
12StaleObjectsObjectConfigS-PwdNeverExpiresNumber of accounts which has never-expiring passwords: 4
12StaleObjectsObsoleteOSS-OS-Win7Presence of Windows 7 = 1
03AnomaliesCertificateTakeOverA-SHA1RootCertAt least one trusted ROOT certificate found has a SHA1 signature [11]
03AnomaliesPasswordRetrievalA-UnixPwdAt least one user has an attribute set which is known to potentially contains a password
03AnomaliesPassTheCredentialA-ProtectedUsersThe Protected Users group doesn't exist on the domain.
03PrivilegedAccountsAdminControlP-OperatorsEmpty1 operator group(s) are not empty
04AnomaliesWeakPasswordA-NoServicePolicyNo password policy for service account found (MinimumPasswordLength>=20)
03AnomaliesAuditA-AuditPowershellThe powershell audit configuration is not fully enabled.
04AnomaliesReconnaissanceA-NoNetSessionHardeningNo GPO has been found which implements NetCease
PointsLevelCategoryModelRiskIdRationale
NameValue
PingCastle version2.9.0.0 Beta
Generated onvendredi 25 septembre 2020
Report age1262 day(s)
Domain maturity1
Domain modeWindows2008R2
Forest modeWindows2008R2
Total score711 point(s)
The worst score out of the four items
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories

Risk rules resolved

PointsLevelCategoryModelRiskIdRationale
203PrivilegedAccountsAccountTakeOverP-DelegatedPresence of Admin accounts which have not the flag "this account is sensitive and cannot be delegated": 8
202AnomaliesGoldenTicketA-KrbtgtLast change of the Kerberos password: 533 day(s) ago
153AnomaliesBackupA-BackupMetadataLast AD backup has been performed 3096 day(s) ago
PointsLevelCategoryModelRiskIdRationale

New risk rules triggered

Name
No data available to display.
PointsLevelCategoryModelRiskIdRationale
602PrivilegedAccountsPrivilegeControlP-PrivilegeEveryoneNumber of privileges granted by GPO to any user: 4
601AnomaliesPasswordRetrievalA-PwdGPONumber of password(s) found in GPO: 3
501TrustsSIDFilteringT-SIDFilteringNumber of trusts without SID Filtering: 1
503TrustsSIDHistoryT-SIDHistorySameDomainAccount(s) with SID History matching the domain = 2
452PrivilegedAccountsACLCheckP-DelegationGPODataNumber of GPO items that can be modified by any user: 3
451PrivilegedAccountsACLCheckP-LoginDCEveryoneAnyone can interactively or remotely login to a DC
302PrivilegedAccountsDelegationCheckP-DelegationEveryonePresence of delegation where anybody can act: 2
303AnomaliesPassTheCredentialA-SmartCardRequiredNumber of account(s) using a smart card whose password is not changed: 1
302PrivilegedAccountsACLCheckP-DelegationLoginScriptNumber of login scripts that can be modified by any user: 2
251PrivilegedAccountsDelegationCheckP-DelegationDCa2d2Number of DC with a contrained delegation: 1
251PrivilegedAccountsControlPathP-ControlPathIndirectEveryoneEveryone can take control of a key domain object by abusing targeted permissions.
202TrustsTrustInactiveT-InactiveAt least one inactive trust has been found: 2
152PrivilegedAccountsACLCheckP-RecoveryModeUnprotectedAt least one GPO grant the right to get in the recovery mode without being admin
153StaleObjectsObjectConfigS-C-PrimaryGroupPresence of wrong primary group for computers: 1
153StaleObjectsObjectConfigS-SIDHistory1 domain(s) used in SIDHistory
151StaleObjectsVulnerabilityManagementS-DC-NotUpdatedNumber of DC not updated = 1
154PrivilegedAccountsDelegationCheckP-UnkownDelegationPresence of unknown account in delegation: 1
102AnomaliesReconnaissanceA-NullSessionNumber of DC(s) with NULL SESSION enabled: 1
102AnomaliesWeakPasswordA-MinPwdLenPolicy where the password length is less than 8 characters: 2
101PrivilegedAccountsAccountTakeOverP-AdminPwdTooOldNumber of admin with a password older than 3 years: 5
101StaleObjectsProvisioningS-DCRegistrationNumber of DC with a configuration issue: 1
103PrivilegedAccountsACLCheckP-DCOwner1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group
103AnomaliesCertificateTakeOverA-DCLdapsProtocolAt least one DC uses a weak SSL protocol for server side purposes.
103PrivilegedAccountsIrreversibleChangeP-SchemaAdminThe group Schema Admins is not empty: 2 account(s)
103StaleObjectsProvisioningS-ADRegistrationNon-admin users can add up to 10 computer(s) to a domain
103AnomaliesAuditA-AuditDCThe audit policy on domain controllers does not collect key events.
103StaleObjectsOldAuthenticationProtocolsS-SMB-v1SMB v1 activated on 1 DC
53AnomaliesNetworkSniffingA-LDAPSigningDisabledAt least one GPO disables explicitly LDAP client signature
54PrivilegedAccountsACLCheckP-DNSAdminNumber of members of the Dns Admins group: 1
51PrivilegedAccountsAccountTakeOverP-KerberoastingAt least one member of an admin group is vulnerable to the kerberoast attack.
52AnomaliesReconnaissanceA-PreWin2000AnonymousThe group Everyone and/or Anonymous is present in the Pre-Windows 2000 group.
53PrivilegedAccountsRODCP-RODCAllowedGroupThe Allowed RODC Password Replication Group group is not empty
53PrivilegedAccountsRODCP-RODCDeniedGroupThe Denied RODC Password Replication Group group has some of its default members missing
51StaleObjectsObsoleteOSS-DC-2008Presence of Windows 2008 as DC = 1
51AnomaliesNetworkSniffingA-LMHashAuthorizedAt least one policy has been found where the LM hash can be used [1]
51StaleObjectsObjectConfigS-NoPreAuthAdminNumber of admin accounts which do not require kerberos pre-authentication: 1
52StaleObjectsObsoleteOSS-OS-2008Presence of Windows 2008 = 1
51StaleObjectsInactiveUserOrComputerS-DC-InactiveNumber of DC inactive: 1
53TrustsSIDHistoryS-Domain$$$The SIDHistory auditing group is present: SID History creation is enabled
23AnomaliesReconnaissanceA-PreWin2000OtherAt least one user, computer or group has been added as a member to the PreWin2000 compatible group
13AnomaliesCertificateTakeOverA-WeakRSARootCert2At least one trusted certificate found has a relatively weak RSA key [4]
13AnomaliesCertificateTakeOverA-SHA1IntermediateCertAt least one trusted INTERMEDIATE certificate found has a SHA1 signature [6]
12StaleObjectsObjectConfigS-PwdNeverExpiresNumber of accounts which has never-expiring passwords: 4
12StaleObjectsObsoleteOSS-OS-Win7Presence of Windows 7 = 1
03AnomaliesCertificateTakeOverA-SHA1RootCertAt least one trusted ROOT certificate found has a SHA1 signature [11]
03AnomaliesPasswordRetrievalA-UnixPwdAt least one user has an attribute set which is known to potentially contains a password
03AnomaliesPassTheCredentialA-ProtectedUsersThe Protected Users group doesn't exist on the domain.
03PrivilegedAccountsAdminControlP-OperatorsEmpty1 operator group(s) are not empty
04AnomaliesWeakPasswordA-NoServicePolicyNo password policy for service account found (MinimumPasswordLength>=20)
03AnomaliesAuditA-AuditPowershellThe powershell audit configuration is not fully enabled.
04AnomaliesReconnaissanceA-NoNetSessionHardeningNo GPO has been found which implements NetCease
PointsLevelCategoryModelRiskIdRationale
NameValue
PingCastle version2.9.0.0 Beta
Generated ondimanche 25 octobre 2020
Report age1232 day(s)
Domain maturity1
Domain modeWindows2008R2
Forest modeWindows2008R2
Total score666 point(s)
The worst score out of the four items
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories

Risk rules resolved

PointsLevelCategoryModelRiskIdRationale
152PrivilegedAccountsACLCheckP-RecoveryModeUnprotectedAt least one GPO grant the right to get in the recovery mode without being admin
101StaleObjectsProvisioningS-DCRegistrationNumber of DC with a configuration issue: 1
103AnomaliesAuditA-AuditDCThe audit policy on domain controllers does not collect key events.
52AnomaliesReconnaissanceA-PreWin2000AnonymousThe group Everyone and/or Anonymous is present in the Pre-Windows 2000 group.
52StaleObjectsObsoleteOSS-OS-2008Presence of Windows 2008 = 1
PointsLevelCategoryModelRiskIdRationale

New risk rules triggered

Name
No data available to display.
PointsLevelCategoryModelRiskIdRationale
602PrivilegedAccountsPrivilegeControlP-PrivilegeEveryoneNumber of privileges granted by GPO to any user: 4
601AnomaliesPasswordRetrievalA-PwdGPONumber of password(s) found in GPO: 3
501TrustsSIDFilteringT-SIDFilteringNumber of trusts without SID Filtering: 1
503TrustsSIDHistoryT-SIDHistorySameDomainAccount(s) with SID History matching the domain = 2
452PrivilegedAccountsACLCheckP-DelegationGPODataNumber of GPO items that can be modified by any user: 3
451PrivilegedAccountsACLCheckP-LoginDCEveryoneAnyone can interactively or remotely login to a DC
302PrivilegedAccountsDelegationCheckP-DelegationEveryonePresence of delegation where anybody can act: 2
303AnomaliesPassTheCredentialA-SmartCardRequiredNumber of account(s) using a smart card whose password is not changed: 1
302PrivilegedAccountsACLCheckP-DelegationLoginScriptNumber of login scripts that can be modified by any user: 2
251PrivilegedAccountsDelegationCheckP-DelegationDCa2d2Number of DC with a contrained delegation: 1
251PrivilegedAccountsControlPathP-ControlPathIndirectEveryoneEveryone can take control of a key domain object by abusing targeted permissions.
202TrustsTrustInactiveT-InactiveAt least one inactive trust has been found: 2
153StaleObjectsObjectConfigS-C-PrimaryGroupPresence of wrong primary group for computers: 1
153StaleObjectsObjectConfigS-SIDHistory1 domain(s) used in SIDHistory
151StaleObjectsVulnerabilityManagementS-DC-NotUpdatedNumber of DC not updated = 1
154PrivilegedAccountsDelegationCheckP-UnkownDelegationPresence of unknown account in delegation: 1
102AnomaliesReconnaissanceA-NullSessionNumber of DC(s) with NULL SESSION enabled: 1
102AnomaliesWeakPasswordA-MinPwdLenPolicy where the password length is less than 8 characters: 2
101PrivilegedAccountsAccountTakeOverP-AdminPwdTooOldNumber of admin with a password older than 3 years: 5
103PrivilegedAccountsACLCheckP-DCOwner1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group
103AnomaliesCertificateTakeOverA-DCLdapsProtocolAt least one DC uses a weak SSL protocol for server side purposes.
103PrivilegedAccountsIrreversibleChangeP-SchemaAdminThe group Schema Admins is not empty: 2 account(s)
103StaleObjectsProvisioningS-ADRegistrationNon-admin users can add up to 10 computer(s) to a domain
103StaleObjectsOldAuthenticationProtocolsS-SMB-v1SMB v1 activated on 1 DC
53AnomaliesNetworkSniffingA-LDAPSigningDisabledAt least one GPO disables explicitly LDAP client signature
54PrivilegedAccountsACLCheckP-DNSAdminNumber of members of the Dns Admins group: 1
51PrivilegedAccountsAccountTakeOverP-KerberoastingAt least one member of an admin group is vulnerable to the kerberoast attack.
53PrivilegedAccountsRODCP-RODCAllowedGroupThe Allowed RODC Password Replication Group group is not empty
53PrivilegedAccountsRODCP-RODCDeniedGroupThe Denied RODC Password Replication Group group has some of its default members missing
51StaleObjectsObsoleteOSS-DC-2008Presence of Windows 2008 as DC = 1
51AnomaliesNetworkSniffingA-LMHashAuthorizedAt least one policy has been found where the LM hash can be used [1]
51StaleObjectsObjectConfigS-NoPreAuthAdminNumber of admin accounts which do not require kerberos pre-authentication: 1
51StaleObjectsInactiveUserOrComputerS-DC-InactiveNumber of DC inactive: 1
53TrustsSIDHistoryS-Domain$$$The SIDHistory auditing group is present: SID History creation is enabled
23AnomaliesReconnaissanceA-PreWin2000OtherAt least one user, computer or group has been added as a member to the PreWin2000 compatible group
13AnomaliesCertificateTakeOverA-WeakRSARootCert2At least one trusted certificate found has a relatively weak RSA key [4]
13AnomaliesCertificateTakeOverA-SHA1IntermediateCertAt least one trusted INTERMEDIATE certificate found has a SHA1 signature [6]
12StaleObjectsObjectConfigS-PwdNeverExpiresNumber of accounts which has never-expiring passwords: 4
12StaleObjectsObsoleteOSS-OS-Win7Presence of Windows 7 = 1
03AnomaliesCertificateTakeOverA-SHA1RootCertAt least one trusted ROOT certificate found has a SHA1 signature [11]
03AnomaliesPasswordRetrievalA-UnixPwdAt least one user has an attribute set which is known to potentially contains a password
03AnomaliesPassTheCredentialA-ProtectedUsersThe Protected Users group doesn't exist on the domain.
03PrivilegedAccountsAdminControlP-OperatorsEmpty1 operator group(s) are not empty
04AnomaliesWeakPasswordA-NoServicePolicyNo password policy for service account found (MinimumPasswordLength>=20)
03AnomaliesAuditA-AuditPowershellThe powershell audit configuration is not fully enabled.
04AnomaliesReconnaissanceA-NoNetSessionHardeningNo GPO has been found which implements NetCease
PointsLevelCategoryModelRiskIdRationale
NameValue
PingCastle version2.9.0.0 Beta
Generated onmercredi 25 novembre 2020
Report age1201 day(s)
Domain maturity1
Domain modeWindows2008R2
Forest modeWindows2008R2
Total score556 point(s)
The worst score out of the four items
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories

Risk rules resolved

PointsLevelCategoryModelRiskIdRationale
501TrustsSIDFilteringT-SIDFilteringNumber of trusts without SID Filtering: 1
251PrivilegedAccountsDelegationCheckP-DelegationDCa2d2Number of DC with a contrained delegation: 1
154PrivilegedAccountsDelegationCheckP-UnkownDelegationPresence of unknown account in delegation: 1
103PrivilegedAccountsACLCheckP-DCOwner1 domain controller(s) have been found where the owner is not the Domain Admins group or the Enterprise Admins group
103StaleObjectsOldAuthenticationProtocolsS-SMB-v1SMB v1 activated on 1 DC
PointsLevelCategoryModelRiskIdRationale

New risk rules triggered

Name
No data available to display.
PointsLevelCategoryModelRiskIdRationale
602PrivilegedAccountsPrivilegeControlP-PrivilegeEveryoneNumber of privileges granted by GPO to any user: 4
601AnomaliesPasswordRetrievalA-PwdGPONumber of password(s) found in GPO: 3
503TrustsSIDHistoryT-SIDHistorySameDomainAccount(s) with SID History matching the domain = 2
452PrivilegedAccountsACLCheckP-DelegationGPODataNumber of GPO items that can be modified by any user: 3
451PrivilegedAccountsACLCheckP-LoginDCEveryoneAnyone can interactively or remotely login to a DC
302PrivilegedAccountsDelegationCheckP-DelegationEveryonePresence of delegation where anybody can act: 2
303AnomaliesPassTheCredentialA-SmartCardRequiredNumber of account(s) using a smart card whose password is not changed: 1
302PrivilegedAccountsACLCheckP-DelegationLoginScriptNumber of login scripts that can be modified by any user: 2
251PrivilegedAccountsControlPathP-ControlPathIndirectEveryoneEveryone can take control of a key domain object by abusing targeted permissions.
202TrustsTrustInactiveT-InactiveAt least one inactive trust has been found: 2
153StaleObjectsObjectConfigS-C-PrimaryGroupPresence of wrong primary group for computers: 1
153StaleObjectsObjectConfigS-SIDHistory1 domain(s) used in SIDHistory
151StaleObjectsVulnerabilityManagementS-DC-NotUpdatedNumber of DC not updated = 1
102AnomaliesReconnaissanceA-NullSessionNumber of DC(s) with NULL SESSION enabled: 1
102AnomaliesWeakPasswordA-MinPwdLenPolicy where the password length is less than 8 characters: 2
101PrivilegedAccountsAccountTakeOverP-AdminPwdTooOldNumber of admin with a password older than 3 years: 5
103AnomaliesCertificateTakeOverA-DCLdapsProtocolAt least one DC uses a weak SSL protocol for server side purposes.
103PrivilegedAccountsIrreversibleChangeP-SchemaAdminThe group Schema Admins is not empty: 2 account(s)
103StaleObjectsProvisioningS-ADRegistrationNon-admin users can add up to 10 computer(s) to a domain
53AnomaliesNetworkSniffingA-LDAPSigningDisabledAt least one GPO disables explicitly LDAP client signature
54PrivilegedAccountsACLCheckP-DNSAdminNumber of members of the Dns Admins group: 1
51PrivilegedAccountsAccountTakeOverP-KerberoastingAt least one member of an admin group is vulnerable to the kerberoast attack.
53PrivilegedAccountsRODCP-RODCAllowedGroupThe Allowed RODC Password Replication Group group is not empty
53PrivilegedAccountsRODCP-RODCDeniedGroupThe Denied RODC Password Replication Group group has some of its default members missing
51StaleObjectsObsoleteOSS-DC-2008Presence of Windows 2008 as DC = 1
51AnomaliesNetworkSniffingA-LMHashAuthorizedAt least one policy has been found where the LM hash can be used [1]
51StaleObjectsObjectConfigS-NoPreAuthAdminNumber of admin accounts which do not require kerberos pre-authentication: 1
51StaleObjectsInactiveUserOrComputerS-DC-InactiveNumber of DC inactive: 1
53TrustsSIDHistoryS-Domain$$$The SIDHistory auditing group is present: SID History creation is enabled
23AnomaliesReconnaissanceA-PreWin2000OtherAt least one user, computer or group has been added as a member to the PreWin2000 compatible group
13AnomaliesCertificateTakeOverA-WeakRSARootCert2At least one trusted certificate found has a relatively weak RSA key [4]
13AnomaliesCertificateTakeOverA-SHA1IntermediateCertAt least one trusted INTERMEDIATE certificate found has a SHA1 signature [6]
12StaleObjectsObjectConfigS-PwdNeverExpiresNumber of accounts which has never-expiring passwords: 4
12StaleObjectsObsoleteOSS-OS-Win7Presence of Windows 7 = 1
03AnomaliesCertificateTakeOverA-SHA1RootCertAt least one trusted ROOT certificate found has a SHA1 signature [11]
03AnomaliesPasswordRetrievalA-UnixPwdAt least one user has an attribute set which is known to potentially contains a password
03AnomaliesPassTheCredentialA-ProtectedUsersThe Protected Users group doesn't exist on the domain.
03PrivilegedAccountsAdminControlP-OperatorsEmpty1 operator group(s) are not empty
04AnomaliesWeakPasswordA-NoServicePolicyNo password policy for service account found (MinimumPasswordLength>=20)
03AnomaliesAuditA-AuditPowershellThe powershell audit configuration is not fully enabled.
04AnomaliesReconnaissanceA-NoNetSessionHardeningNo GPO has been found which implements NetCease
PointsLevelCategoryModelRiskIdRationale
NameValue
PingCastle version2.9.0.0 Beta
Generated onvendredi 25 décembre 2020
Report age1171 day(s)
Domain maturity1
Domain modeWindows2008R2
Forest modeWindows2008R2
Total score460 point(s)
The worst score out of the four items
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories

Risk rules resolved

PointsLevelCategoryModelRiskIdRationale
602PrivilegedAccountsPrivilegeControlP-PrivilegeEveryoneNumber of privileges granted by GPO to any user: 4
302PrivilegedAccountsDelegationCheckP-DelegationEveryonePresence of delegation where anybody can act: 2
51StaleObjectsInactiveUserOrComputerS-DC-InactiveNumber of DC inactive: 1
12StaleObjectsObjectConfigS-PwdNeverExpiresNumber of accounts which has never-expiring passwords: 4
PointsLevelCategoryModelRiskIdRationale

New risk rules triggered

Name
No data available to display.
PointsLevelCategoryModelRiskIdRationale
601AnomaliesPasswordRetrievalA-PwdGPONumber of password(s) found in GPO: 3
503TrustsSIDHistoryT-SIDHistorySameDomainAccount(s) with SID History matching the domain = 2
452PrivilegedAccountsACLCheckP-DelegationGPODataNumber of GPO items that can be modified by any user: 3
451PrivilegedAccountsACLCheckP-LoginDCEveryoneAnyone can interactively or remotely login to a DC
303AnomaliesPassTheCredentialA-SmartCardRequiredNumber of account(s) using a smart card whose password is not changed: 1
302PrivilegedAccountsACLCheckP-DelegationLoginScriptNumber of login scripts that can be modified by any user: 2
251PrivilegedAccountsControlPathP-ControlPathIndirectEveryoneEveryone can take control of a key domain object by abusing targeted permissions.
202TrustsTrustInactiveT-InactiveAt least one inactive trust has been found: 2
153StaleObjectsObjectConfigS-C-PrimaryGroupPresence of wrong primary group for computers: 1
153StaleObjectsObjectConfigS-SIDHistory1 domain(s) used in SIDHistory
151StaleObjectsVulnerabilityManagementS-DC-NotUpdatedNumber of DC not updated = 1
102AnomaliesReconnaissanceA-NullSessionNumber of DC(s) with NULL SESSION enabled: 1
102AnomaliesWeakPasswordA-MinPwdLenPolicy where the password length is less than 8 characters: 2
101PrivilegedAccountsAccountTakeOverP-AdminPwdTooOldNumber of admin with a password older than 3 years: 5
103AnomaliesCertificateTakeOverA-DCLdapsProtocolAt least one DC uses a weak SSL protocol for server side purposes.
103PrivilegedAccountsIrreversibleChangeP-SchemaAdminThe group Schema Admins is not empty: 2 account(s)
103StaleObjectsProvisioningS-ADRegistrationNon-admin users can add up to 10 computer(s) to a domain
53AnomaliesNetworkSniffingA-LDAPSigningDisabledAt least one GPO disables explicitly LDAP client signature
54PrivilegedAccountsACLCheckP-DNSAdminNumber of members of the Dns Admins group: 1
51PrivilegedAccountsAccountTakeOverP-KerberoastingAt least one member of an admin group is vulnerable to the kerberoast attack.
53PrivilegedAccountsRODCP-RODCAllowedGroupThe Allowed RODC Password Replication Group group is not empty
53PrivilegedAccountsRODCP-RODCDeniedGroupThe Denied RODC Password Replication Group group has some of its default members missing
51StaleObjectsObsoleteOSS-DC-2008Presence of Windows 2008 as DC = 1
51AnomaliesNetworkSniffingA-LMHashAuthorizedAt least one policy has been found where the LM hash can be used [1]
51StaleObjectsObjectConfigS-NoPreAuthAdminNumber of admin accounts which do not require kerberos pre-authentication: 1
53TrustsSIDHistoryS-Domain$$$The SIDHistory auditing group is present: SID History creation is enabled
23AnomaliesReconnaissanceA-PreWin2000OtherAt least one user, computer or group has been added as a member to the PreWin2000 compatible group
13AnomaliesCertificateTakeOverA-WeakRSARootCert2At least one trusted certificate found has a relatively weak RSA key [4]
13AnomaliesCertificateTakeOverA-SHA1IntermediateCertAt least one trusted INTERMEDIATE certificate found has a SHA1 signature [6]
12StaleObjectsObsoleteOSS-OS-Win7Presence of Windows 7 = 1
03AnomaliesCertificateTakeOverA-SHA1RootCertAt least one trusted ROOT certificate found has a SHA1 signature [11]
03AnomaliesPasswordRetrievalA-UnixPwdAt least one user has an attribute set which is known to potentially contains a password
03AnomaliesPassTheCredentialA-ProtectedUsersThe Protected Users group doesn't exist on the domain.
03PrivilegedAccountsAdminControlP-OperatorsEmpty1 operator group(s) are not empty
04AnomaliesWeakPasswordA-NoServicePolicyNo password policy for service account found (MinimumPasswordLength>=20)
03AnomaliesAuditA-AuditPowershellThe powershell audit configuration is not fully enabled.
04AnomaliesReconnaissanceA-NoNetSessionHardeningNo GPO has been found which implements NetCease
PointsLevelCategoryModelRiskIdRationale
NameValue
PingCastle version2.9.0.0 Beta
Generated onlundi 25 janvier 2021
Report age1140 day(s)
Domain maturity1
Domain modeWindows2008R2
Forest modeWindows2008R2
Total score325 point(s)
The worst score out of the four items
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories

Risk rules resolved

PointsLevelCategoryModelRiskIdRationale
601AnomaliesPasswordRetrievalA-PwdGPONumber of password(s) found in GPO: 3
503TrustsSIDHistoryT-SIDHistorySameDomainAccount(s) with SID History matching the domain = 2
153StaleObjectsObjectConfigS-SIDHistory1 domain(s) used in SIDHistory
103StaleObjectsProvisioningS-ADRegistrationNon-admin users can add up to 10 computer(s) to a domain
PointsLevelCategoryModelRiskIdRationale

New risk rules triggered

Name
No data available to display.
PointsLevelCategoryModelRiskIdRationale
452PrivilegedAccountsACLCheckP-DelegationGPODataNumber of GPO items that can be modified by any user: 3
451PrivilegedAccountsACLCheckP-LoginDCEveryoneAnyone can interactively or remotely login to a DC
303AnomaliesPassTheCredentialA-SmartCardRequiredNumber of account(s) using a smart card whose password is not changed: 1
302PrivilegedAccountsACLCheckP-DelegationLoginScriptNumber of login scripts that can be modified by any user: 2
251PrivilegedAccountsControlPathP-ControlPathIndirectEveryoneEveryone can take control of a key domain object by abusing targeted permissions.
202TrustsTrustInactiveT-InactiveAt least one inactive trust has been found: 2
153StaleObjectsObjectConfigS-C-PrimaryGroupPresence of wrong primary group for computers: 1
151StaleObjectsVulnerabilityManagementS-DC-NotUpdatedNumber of DC not updated = 1
102AnomaliesReconnaissanceA-NullSessionNumber of DC(s) with NULL SESSION enabled: 1
102AnomaliesWeakPasswordA-MinPwdLenPolicy where the password length is less than 8 characters: 2
101PrivilegedAccountsAccountTakeOverP-AdminPwdTooOldNumber of admin with a password older than 3 years: 5
103AnomaliesCertificateTakeOverA-DCLdapsProtocolAt least one DC uses a weak SSL protocol for server side purposes.
103PrivilegedAccountsIrreversibleChangeP-SchemaAdminThe group Schema Admins is not empty: 2 account(s)
53AnomaliesNetworkSniffingA-LDAPSigningDisabledAt least one GPO disables explicitly LDAP client signature
54PrivilegedAccountsACLCheckP-DNSAdminNumber of members of the Dns Admins group: 1
51PrivilegedAccountsAccountTakeOverP-KerberoastingAt least one member of an admin group is vulnerable to the kerberoast attack.
53PrivilegedAccountsRODCP-RODCAllowedGroupThe Allowed RODC Password Replication Group group is not empty
53PrivilegedAccountsRODCP-RODCDeniedGroupThe Denied RODC Password Replication Group group has some of its default members missing
51StaleObjectsObsoleteOSS-DC-2008Presence of Windows 2008 as DC = 1
51AnomaliesNetworkSniffingA-LMHashAuthorizedAt least one policy has been found where the LM hash can be used [1]
51StaleObjectsObjectConfigS-NoPreAuthAdminNumber of admin accounts which do not require kerberos pre-authentication: 1
53TrustsSIDHistoryS-Domain$$$The SIDHistory auditing group is present: SID History creation is enabled
23AnomaliesReconnaissanceA-PreWin2000OtherAt least one user, computer or group has been added as a member to the PreWin2000 compatible group
13AnomaliesCertificateTakeOverA-WeakRSARootCert2At least one trusted certificate found has a relatively weak RSA key [4]
13AnomaliesCertificateTakeOverA-SHA1IntermediateCertAt least one trusted INTERMEDIATE certificate found has a SHA1 signature [6]
12StaleObjectsObsoleteOSS-OS-Win7Presence of Windows 7 = 1
03AnomaliesCertificateTakeOverA-SHA1RootCertAt least one trusted ROOT certificate found has a SHA1 signature [11]
03AnomaliesPasswordRetrievalA-UnixPwdAt least one user has an attribute set which is known to potentially contains a password
03AnomaliesPassTheCredentialA-ProtectedUsersThe Protected Users group doesn't exist on the domain.
03PrivilegedAccountsAdminControlP-OperatorsEmpty1 operator group(s) are not empty
04AnomaliesWeakPasswordA-NoServicePolicyNo password policy for service account found (MinimumPasswordLength>=20)
03AnomaliesAuditA-AuditPowershellThe powershell audit configuration is not fully enabled.
04AnomaliesReconnaissanceA-NoNetSessionHardeningNo GPO has been found which implements NetCease
PointsLevelCategoryModelRiskIdRationale
NameValue
PingCastle version2.9.0.0 Beta
Generated onjeudi 25 février 2021
Report age1109 day(s)
Domain maturity1
Domain modeWindows2008R2
Forest modeWindows2008R2
Total score240 point(s)
The worst score out of the four items
Specific security control points
Administrators of the Active Directory
Operations related to user or computer objects
Connections between two Active Directories

Risk rules resolved

PointsLevelCategoryModelRiskIdRationale
451PrivilegedAccountsACLCheckP-LoginDCEveryoneAnyone can interactively or remotely login to a DC
302PrivilegedAccountsACLCheckP-DelegationLoginScriptNumber of login scripts that can be modified by any user: 2
102AnomaliesReconnaissanceA-NullSessionNumber of DC(s) with NULL SESSION enabled: 1
53AnomaliesNetworkSniffingA-LDAPSigningDisabledAt least one GPO disables explicitly LDAP client signature
PointsLevelCategoryModelRiskIdRationale

New risk rules triggered

PointsLevelCategoryModelRiskIdRationale
51StaleObjectsInactiveUserOrComputerS-DC-InactiveNumber of DC inactive: 1
PointsLevelCategoryModelRiskIdRationale
PointsLevelCategoryModelRiskIdRationale
452PrivilegedAccountsACLCheckP-DelegationGPODataNumber of GPO items that can be modified by any user: 3
303AnomaliesPassTheCredentialA-SmartCardRequiredNumber of account(s) using a smart card whose password is not changed: 1
251PrivilegedAccountsControlPathP-ControlPathIndirectEveryoneEveryone can take control of a key domain object by abusing targeted permissions.
202TrustsTrustInactiveT-InactiveAt least one inactive trust has been found: 2
153StaleObjectsObjectConfigS-C-PrimaryGroupPresence of wrong primary group for computers: 1
151StaleObjectsVulnerabilityManagementS-DC-NotUpdatedNumber of DC not updated = 1
102AnomaliesWeakPasswordA-MinPwdLenPolicy where the password length is less than 8 characters: 2
101PrivilegedAccountsAccountTakeOverP-AdminPwdTooOldNumber of admin with a password older than 3 years: 5
51StaleObjectsInactiveUserOrComputerS-DC-InactiveNumber of DC inactive: 1
103AnomaliesCertificateTakeOverA-DCLdapsProtocolAt least one DC uses a weak SSL protocol for server side purposes.
103PrivilegedAccountsIrreversibleChangeP-SchemaAdminThe group Schema Admins is not empty: 2 account(s)
54PrivilegedAccountsACLCheckP-DNSAdminNumber of members of the Dns Admins group: 1
51PrivilegedAccountsAccountTakeOverP-KerberoastingAt least one member of an admin group is vulnerable to the kerberoast attack.
53PrivilegedAccountsRODCP-RODCAllowedGroupThe Allowed RODC Password Replication Group group is not empty
53PrivilegedAccountsRODCP-RODCDeniedGroupThe Denied RODC Password Replication Group group has some of its default members missing
51StaleObjectsObsoleteOSS-DC-2008Presence of Windows 2008 as DC = 1
51AnomaliesNetworkSniffingA-LMHashAuthorizedAt least one policy has been found where the LM hash can be used [1]
51StaleObjectsObjectConfigS-NoPreAuthAdminNumber of admin accounts which do not require kerberos pre-authentication: 1
53TrustsSIDHistoryS-Domain$$$The SIDHistory auditing group is present: SID History creation is enabled
23AnomaliesReconnaissanceA-PreWin2000OtherAt least one user, computer or group has been added as a member to the PreWin2000 compatible group
13AnomaliesCertificateTakeOverA-WeakRSARootCert2At least one trusted certificate found has a relatively weak RSA key [4]
13AnomaliesCertificateTakeOverA-SHA1IntermediateCertAt least one trusted INTERMEDIATE certificate found has a SHA1 signature [6]
12StaleObjectsObsoleteOSS-OS-Win7Presence of Windows 7 = 1
03AnomaliesCertificateTakeOverA-SHA1RootCertAt least one trusted ROOT certificate found has a SHA1 signature [11]
03AnomaliesPasswordRetrievalA-UnixPwdAt least one user has an attribute set which is known to potentially contains a password
03AnomaliesPassTheCredentialA-ProtectedUsersThe Protected Users group doesn't exist on the domain.
03PrivilegedAccountsAdminControlP-OperatorsEmpty1 operator group(s) are not empty
04AnomaliesWeakPasswordA-NoServicePolicyNo password policy for service account found (MinimumPasswordLength>=20)
03AnomaliesAuditA-AuditPowershellThe powershell audit configuration is not fully enabled.
04AnomaliesReconnaissanceA-NoNetSessionHardeningNo GPO has been found which implements NetCease
PointsLevelCategoryModelRiskIdRationale